Today, when a user or client machine, e.g., a computer or a mobile device, requests a webpage on the Internet via a web browser, e.g., a resource name through a Hypertext Transfer Protocol (HTTP) GET command to a web server, content is sent from the web server or other location on the Internet and is rendered at the web browser. Content can include both executable content and non-executable content that may be embedded in web pages that are received over the Internet. Executable content, including forms or other dynamic client-side scripts (e.g. inline scripts in JavaScript® scripting language or Asynchronous Javascript and XML (AJAX)) while non-executable content may include hypertext markup tags in HyperText Markup Language 5 (HTML5) and Cascading Style Sheets (CSS) (JAVASCRIPT is a registered trademark of Oracle Corporation). JavaScript instructions that are embedded in web pages may be executed by a web browser when the web page is selected. As more and more users are interconnected over the Internet, computer security becomes increasingly more important as web pages may include malicious software (malware) that are inserted enroute to a user. In some cases, a user may forego security measures from certain websites and implicitly trust that the content being delivered will not harm the user's machine. However, third-parties can circumvent web server security and insert bad content or manipulate active content in web pages during transit from trusted web domains to the user. For example content that has the potential to steal information from the user machine may be inserted through cross-site scripting via a gateway or man-in-the middle (MITM) injection by using malicious internet bots that masquerade as a user (by trying to login) or that masquerade as user input (by changing user input clicks and input fields). The malicious internet bots may detect user input fields by using element identifiers or element classes in the HTML web page.
Prior art solutions for defending against script injection in HTML web pages have addressed rejecting bad data characters, limiting information in server responses, enforcing response lengths, limiting permissions in web browsers, or detecting bad scripts and blocking their execution or blocking execution of all scripts in a web browser. However, these solutions are not completely effective. For example, rejecting bad data requires that a web browser know all variations of malicious inputs in the data. However, an attacker may only need to find one vulnerability in a website or browser code in order to exploit this vulnerability. Additionally, limiting information in server responses such as blocking script execution or limiting permissions in web browsers may impact a user's experience online. A way of providing web browser security for preventing exploitable or malware injected content in HTML web pages from executing at a web browser on a user client would be desirable.